Re: no aaa new-model and ssh login is no longer possible

todd.hsieh · ‎08-23-2025

Hi,

I always had a wrong understanding when I typed "no aaa new-model", it meant to delete all aaa. There is no aaa setting in the configuration. It will switch back to local authentication.

But recently, I found when I type "no aaa new-model" and I can't ssh into router again even though I have local username/pass. Only telnet is workable.

Does anyone has the same experience ?

Todd

MHM Cisco World · ‎08-23-2025

Share config of device

MHM

Jens Albrecht · ‎08-23-2025

Hello @todd.hsieh,

this is a pretty common misunderstanding. If you use the 'no aaa new-model' command, the settings will revert to the DEFAULT settings - whatever they are. On many platforms the default for the vty lines is 'login' which does not allow SSH access, of course.

Just collected the snippets from a 3560X platform as an example:

! AAA enabled
!
LAN-Switch#sh run | in aaa
aaa new-model
!
LAN-Switch#sh run | beg line vty
line vty 0 4
 exec-timeout 5 0
 logging synchronous
 transport input ssh
 transport output none
!
! Disable AAA and confirm
!
conf t
  no aaa new-model
!
LAN-Switch#sh run | in aaa
no aaa new-model
!
LAN-Switch#sh run | beg line vty
line vty 0 4
 exec-timeout 5 0
 logging synchronous
 login
 transport input ssh
 transport output none
!

So disabling AAA leads to a situation where you have a config that neither allows SSH nor Telnet.

You have to manually change to the vty config to 'login local' to make SSH work again.

HTH!

MHM Cisco World · ‎08-23-2025

Only telnet is workable <<- this point confuse'

We need to see config first

MHM

Jens Albrecht · ‎08-23-2025

Well, only telnet working means that the line vty is probably set to 'transport input all' which is the default setting for many older platforms.

So with the default set to 'local' you can use telnet if a password was set some time in the past.

Activating AAA deletes the 'login local' command but does not affect other commands line 'transport input <option>' or 'password <some password>'. These commands remain in the config after activating AAA. After removing AAA these commands are still there and do their job.

So I am sure that the config looks similar to this:

line vty 0 4
 login
 password <some password>
 transport input all

Hence telnet is working after removing AAA.

HTH!

MHM Cisco World · ‎08-23-2025

Friend let see his config first

Did he use two vty group or one

Did he use input all or ssh

We guess let see his config then guide him

Thanks alot

MHM

M02@rt37 · ‎08-23-2025

Hello,

From my point of view, the issue isn’t really about transport input all vs. ssh/telnet, but about how authentication is tied to the line configuration once he remove AAA...

Transport input all is probably there, yes — but it’s not the cause. The cause is that once he did no aaa new-model command, line vty likely has only login configured (expecting a single password), and not login local. SSH won’t fall back to that, so it fails.

Like @MHM Cisco World said, let see the config.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Jens Albrecht · ‎08-23-2025

I never said that 'transport input all' has anything to do with the problem

In my first reply I mentioned very clearly that the root cause is the fact that removing AAA reverts the settings for the vty lines to default which is 'login'. I have seen this issue many, many times so no doubt about that.